List bombing: What does it mean and how to avoid it?

Recently, there’s some talk about list bombing. What does this actually mean?

While ISPs concentrate on attacks from a single IP (or IP range) or sending domain, listbombing uses various subscription forms for sending just a few mails from each.

Problem for the targeted address is, that a lot of mails are coming in in a small amount of time without consistent pattern – goal is to make the address unavailable for a specific time.

DOI doesn’t help here as well, because the DOI confirmation mail itself can be part of the attack and be used for it.

Only security mechanism that can help from sender side is anything, that complicates automatic usage of subscription forms like the famous “captchas“. Please insert them to your subscription process whenever possible!

The CSA recently published a recommendation, to place the following snippet on websites is order to be safe with GDPR:

Use of Google reCaptcha

To secure our contact form against unwanted usage, we use the Google Inc. service reCaptcha. This service enables the differentiation between input by a human, and abusive and automated input by a machine (Spambot). For this purpose, your IP address and, if necessary, further data required by Google Inc. for the service reCaptcha is transmitted to Google Inc. For this data, the different Privacy Policy from Google Inc. applies. These can be found at https://policies.google.com/privacy?hl=en.

Share this:

Like this:

Florian Vierke is Senior Deliverability Specialist with over seven years of experience in all areas of E-Mail Deliverability & Abuse Management. Florian is a member of MAAWG, certified senders alliance and competence group email and maintains a regular presence at conventions and fairs like Internet Security days, email expo or dmexco.